Vault dynamic generation of permanent password


we are currently moving more and more to Vault. However, one feature we lack from other tools we use (ie: trocla) is the possibility to generate a password on the first read of a key, but then get the same when you read the key again.

Dynamic passwords offers new credentials every time, and kv does not seems to support such feature. This is especially useful when integrating with config management softwares like Puppet.

Am I missing something ? I also did not find any plugin offering such service.

Hi Maxence,

the Key/Value secret engine currently doesn’t offer this feature.

In my opinion, you could check if the returned secret is empty and use the tools generate random bytes API to generate a random secret which you can insert into Vault’s Key/Value secret engine.

Would this be a suitable workaround for you?



thanks for the reply. It could be suitable, but still not ideal as it would require an extra wrapper / plugin to be developed.
The interesting thing with having them generated automatically is that it requires only one call to set&get (which is how most puppet secret backends work : only one call to get the secret)

You could use what I called the “Seinfeld hash” (a hash about nothing) I described here:

Basically you do this:

  1. Create a key in the transit backend

  2. Hash nothing to get some random bytes.

    • That will be your password
    • You will get the same result back all the time, and it will always be different from one Vault to the other
    • Changing path in Transit allows you to reuse the scheme for different sets of applications
    • You could also hash some well known value, but it adds nothing but the trouble of distributing that value
  3. To change the password, rotate the transit key.